[whatwg] JSONRequest

Douglas Crockford douglas at crockford.com
Fri Mar 17 10:44:46 PST 2006

The JSONRequest does only one thing: It exchanges data between scripts on pages with JSON servers in the web. It provides this highly valuable service while introducing no new security vulnerabilities. 

A browser within a filewall may have the capability to interact with a server (penzance.org). Computers on the outside do not have that capability. Can a computer on the outside (pirate.net) cause a browser to act as its agent in interacting with an internal server?

Current, XMLHttpRequest does not allow a script from a page from pirate.net to connect to penzance.org because of the Same Origin Policy. 

JSONRequest does allow the connection, but with some limitations:

    The method is POST
    The Content-Type is application/json. 
    The POST body data will be in JSON format.
    The response data will be in JSON format.
    The character encoding in both directions will be UTF-8, strictly enforced.

Does this allow improperly secured applications to be accessed? 

    Application that are looking for GET cannot be accessed because JSONRequest only uses POST. 
    Responses which are not JSON text will not be delivered to the requesting script.

This is sufficient to protect most legacy applications.

But what of legacy applications that accept POST. Could JSONRequest be used to improperly POST to these applications, thereby corrupting databases? JSONRequest mitigates this danger:

    The POST data is in JSON format, so as seen by conventional web applications, the first form field name will have a [" or {" prefix, which may cause a fault.

    Cookies and HTTP authentication are not sent.

Contrast this to form.submit, which can send a conventional POST body and cookies and HTTP authentication. JSONRequest is more secure than the form.submit feature which is currently implemented everywhere. By switching to a policy of responding only to well-formatted JSONRequest, applications can be made more secure.

When applications are designed to use JSONRequest, they can take advantage of the Domain HTTP header field which identifies the source of the page. This can be used to determine the origin of the page making the request, which can be useful to know when making access decisions. 


More information about the whatwg mailing list